Veeam launched patches for 13 high-severity and 5 vital vulnerabilities, together with one flaw in Veeam Backup & Replication that would result in unauthenticated distant code execution (RCE).
The September 2024 Veeam safety bulletin, final up to date Thursday, consists of bugs found in six Veeam merchandise, with CVSS scores starting from 7.3 to 9.9. Of particular be aware is the unauthenticated RCE flaw in Veeam Backup & Replication tracked as CVE-2024-40711, which has a vital CVSS rating of 9.8 and was reported by Florian Hauser of CODE WHITE GmbH.
Whereas few particulars had been supplied concerning the vulnerability, CODE WHITE stated in a social media put up that CVE-2024-40711 might allow “full system takeover.”
“No technical particulars from us this time as a result of this would possibly immediately be abused by ransomware gangs,” the corporate acknowledged on X.
Safety researchers at watchTowr stated in addition they examined the flaw, stating, “regardless of shenanigans with CVSS scores, we are able to verify the newest Veeam vulnerabilities (CVE-2024-40711) permit auth bypass.”
Veeam vulnerabilities have been focused by ransomware gangs prior to now and customers are urged to replace their Veeam Backup & Replication cases to model 12.2 to handle CVE-2024-40711, together with 5 different high-severity vulnerabilities.
Extra RCE vulnerabilities patched in Veeam ONE, Service Supplier Console
One other vital vulnerability addressed this week is tracked as CVE-2024-42024, which has a CVSS rating of 9.1 and will allow RCE on a machine the place Veeam ONE Agent is put in, however solely by an attacker who’s already in possession of Veeam ONE Agent service account credentials.
A second vital Veeam ONE flaw with a CVSS rating of 9.0, tracked as CVE-2024-42019, might allow an attacker to acquire the NTLM hash of a Veeam Reporter Service service account, however requires consumer interplay and entry to further knowledge from Veeam Backup & Replication. Each of those Veeam ONE flaws are addressed in model 12.2, together with 4 high-severity bugs.
The opposite two vital vulnerabilities addressed on this week’s bulletin have an effect on Veeam Service Supplier Console (VSPC), and each have CVSS scores of 9.9. The primary, tracked as CVE-2024-38650, might allow an attacker with low privileges to entry the NTLM hash of a service account on a VSPC server, whereas the second, tracked as CVE-2024-39714, provides low-privileged customers the power to add arbitrary recordsdata to the VSPC server, risking RCE.
The patched model, VSPC model 8.1, resolves each vital flaws together with two high-severity bugs.
The remaining high-severity flaws addressed within the bulletin are within the Veeam Agent for Linux, Veeam Backup for Nutanix AHV and Veeam Backup for Oracle Linux Virtualization Supervisor and Crimson Hat Virtualization. Customers ought to improve to Veeam Agent for Linux model 6.2, Veeam Backup for Nutanix AHV plug-in model 12.6.0.632 and Veeam Backup for Oracle Linux Virtualization supervisor and Crimson Hat Virtualization plug-in model 12.5.0.299 to handle all flaws; these three patches additionally come included with Veeam Backup & Replication model 12.2.
